Istio Security-of-the-Mesh and in-the-Mesh

Istio: A Service Mesh Platform

Service mesh acts as a layer 7 overlay network that can span across on-premise, data center, and cloud deployments and provides routing, traffic shaping, load balancing, and telemetry combined with security capabilities such as access control policies and encryption (mutual TLS). Istio is an open service mesh platform that connects, manages, and secures microservices. Istio provides layer 7 path-based routing, traffic shaping, load balancing, and telemetry. Access control policies can be configured targeting both layer 7 and layer 4 properties to control access, routing, and more, based on service identity.

When it comes to detecting and preventing advanced attack techniques, you need to deploy security controls that go beyond Kubernetes Network Policies or Istio service access policies. These policies should be able to define service-aware network policies for workloads that do not communicate inside the mesh; Apply machine learning-based profiling, detection & mitigation of post-intrusion events such as data exfiltration, lateral movement, and command & control communications. Specifically, DNS, as Kubernetes service discovery; And enable to define policies for infrastructure and system services that operate outside the mesh operations – such as logging services and worker node monitoring.

Istio and Security

One of the goals and benefits of using Istio as a service-mesh infrastructure is improving the security of the cluster it is embedded in and the services it contains.
The security value of Istio has the following facets:

Istio authenticates workloads’ identities and issues and manages certificates for them used in creating the mesh connectivity.

The service mesh traffic can be automatically encrypted with mutual endpoint authentication, using mTLS.

Fine-grained role-based access control at the application layer network protocol can be used for micro-segmentation, further enhancing users’ abilities to limit which services interact and in what ways.

On-Demand Webinar

Kubernetes and Istio Security

Survey Report

The State of Securing Cloud Workloads

Alcide secures Kubernetes multi-cluster deployments from code-to-production. Companies use Alcide to scale their Kubernetes deployments without compromising on security. This enables the smooth operation of business apps while protecting cloud deployments from malicious attacks.